|
-
May 3rd, 2004, 09:52 PM
#1
Sasser - Hosing NT4 too?
Although Microsoft is reporting the NT4 is not vulnerable to the LSASS vulnerability, I'm here to tell you otherwise. I have some NT4 servers that are loop rebooting due to LSASS crashing. Are there others out there seeing this behavior?
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
May 3rd, 2004, 10:14 PM
#2
Hoss: I don't have any NT4 servers left  but it's my understanding of the worm that:-
1. It's very badly written
2. It can cause non-vulnerable systems to reboot even if they can't be exploited, it screws up LSASS anyway and the system just dumps.
You may be seeing repeated attempts to exploit even though the exploit never "takes hold", your experiencing a D0S as an inadvertent result of the worm.
As an aside..... Why do these systems have ports 445 or 139 exposed to the public network.... I have never managed to come up with a valid business reason for these being open to the public network, or RPC for that matter.... but there are so many boxes out there that get bitten by exploits running through them that someone must have a reason for them to be there......
Don\'t SYN us.... We\'ll SYN you..... 
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
May 4th, 2004, 02:23 AM
#3
The security bulletin at MS has NT 4 listed in the MS04-011 patch 835732
http://www.microsoft.com/security/se...04_windows.asp
although the info on MS here says NT 4 SP6a machines are NOT affected???http://www.microsoft.com/security/incident/sasser.asp
Very confusing....
Maybe a variant that targets NT 4??
Sorry cant be of more help
mlf
How people treat you is their karma- how you react is yours-Wayne Dyer
-
May 4th, 2004, 02:35 AM
#4
forgot something
We recently upgraded to 2003 Server
But when patching the NT4 machines...some patches (post sp 6)seemed to knock out other ones and then they needed to be reapplied...in a certain order to take
maybe this is why you got bit??
How people treat you is their karma- how you react is yours-Wayne Dyer
-
May 4th, 2004, 02:40 AM
#5
Heya Tiger,
Actually, none of the machines are internet-facing. These are all internal machines that got pounded after a rouge laptop was plugged into the inside.
I went to look at the problem because it made no sense to me why LSASS would be crashing, especially when port 445 is not open on NT4. After some closer investigation, the worm was also sending out propagation attempts on 139. TONS of NetBIOS traffic was flying around but interestingly, no infections took place. So it seems that the mere attempt to propigate was enough to send LSASS into a fit on NT4 machines.
At this hour, all is quiet on the western front after patches were installed on the NT boxes.
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
May 4th, 2004, 03:02 AM
#6
all is quiet on the western front after patches were installed on the NT boxes
Why do I feel I'm not being told the entire truth??????
Where is the owner of the laptop????? 
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
May 4th, 2004, 11:05 AM
#7
Ohhhhhh, that gal. Well let's just say she wont be an issue now or in the future.
Also, I sent a sample of the worm up to Symantec because I have not seen a single mention of port 139 use so this may actually be another variant.
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
May 4th, 2004, 11:10 AM
#8
Hoss:
I had my suspicions about the perp..... You know you can't bury her in the back yard don't you.....
I have seen mention of port 139, that's why I mentioned it.... but I don't recall if that was the original version or a variant.
Have you seen Scimitar's question about the ARP storm on the front page? Any suggestions since you already dealt with the "little bugger"?
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
May 4th, 2004, 01:05 PM
#9
We have NT4, W2K and XP. I've seen the following effects:
NT4: Some systems seem to slow down because of a high number of pings recieved. Sasser cannot infect NT4? (NT4 systems that weren't patched had no problems except the slow down).
W2K: Crashes LSASS and therefor reboots. Doesn't seem to infect.
XP: Crashes LSASS, reboots and gets infected.
Oliver's Law:
Experience is something you don't get until just after you need it.
-
May 4th, 2004, 05:45 PM
#10
Listening to a MS Webcast about Sasser now, asked if NT4 was effected, and they claim it is not vulnerable. If your system is infected it used more then 445, and 139. Depending on which of the 4 variants you have, it can also use ports 9996 oor 5554.
MrCoffee
~ I'm NOT insane! I've just been in a bad mood for the last 30 years! ~ Somepeople are like Slinky's: Not good for anything, but the thought of pushing them down the stairs brings a smile to your face! 
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote